Why the status of IT security is changing within Australian companies

In most organizations, cybersecurity strategies tend to take a technology-driven approach. But with changing expectations and more possibilities arising from new smart technologies, the status of IT security is changing, writes Sash Vasilevski, director of information security consultancy Security Centric.

Traditionally, IT teams choose what they consider to be the most appropriate tools and deploy them on their infrastructures. Now, in 2022, that changes. Rather than being treated as just something an IT team needs to worry about, IT security is increasingly being treated as a dedicated area.

This shift in mindset will allow for clearer connections between cybersecurity risks and business objectives. This, in turn, will help ensure that sufficient resources are allocated to the task and that the levels of risk involved are in line with business expectations.

Ensure effective alignment
Achieving an alignment between risk and business expectations requires a number of steps. Each builds on the other and ensures that the IT security measures in place are the most appropriate for the organization. Required steps include:

A first assessment: The first step is to carefully consider all the components that together create the organization’s IT infrastructure. This includes everything from applications and databases to servers, networks and client devices.

Check the data streams: The next step is to look at how data is transmitted, both within the company and externally. This is important to help understand where weaknesses may exist that need to be addressed.

Examine the cloud resources: As businesses increasingly use cloud-based resources, it’s important to remember that the task of securing these resources is not left to the cloud provider. Review all uses of the cloud and ensure that the appropriate security layers have been put in place.

Determine acceptable levels of risk: Regardless of the amount spent and the security measures implemented, there will always be a level of risk. For this reason, it is important to determine which level the company finds acceptable and whether it is the level that currently exists.

Manage this risk: Once the level of risk is understood, a strategy for its management can be developed. The security team can work to avoid risk, accept some risk, mitigate risk, or transfer risk. This can be achieved by engaging an external specialist to manage security tools and other measures.

Perform what-if scenarios: Once acceptable levels of risk have been identified and measures put in place to maintain them, it is time to run what-if scenarios. This involves considering what the impact on the business would be if a particular event were to occur. These events can include ransomware attacks, data theft, or malicious insider activity.

Security is now a board-level issue

As a growing number of companies realize that they need to address security separately from their overall IT business, many are making it a board-level issue. The board should understand the risks it faces, the measures that have been put in place to mitigate those risks, and what can happen if an attack is successful.

It is especially important to have attention at the board level at a time when many organizations continue to have large numbers of employees working from home. This is a game changer when it comes to achieving effective security and senior management needs to be fully briefed on what is required.

Senior management also has a key role to play when it comes to user education and attitudes. If the importance of adopting safe work procedures is communicated from above, staff are more likely to take it seriously and comply with it. As a result, staff will be less likely to fall for phishing attacks or infect their devices with malicious code. This, in turn, reduces the likelihood of serious disturbances occurring.

The challenge of maintaining robust IT security is a job that is never truly done. However, through constant review and adjustment, security infrastructures can provide the levels of protection that growing businesses need.

Comments are closed.